Craftercms

craftercms

27 CVEs • 3 products

Products (3)

Click to collapse

Toggle

CVEs (27)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-6384 1Craftercms 1Craftercms Dec 16, 2025 Jun 19, 2025 7.3 HIGH· v4 9.1 CRITICAL· v3 N/A· v2 Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elemen...Show more Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.Show less
CVE-2025-0502 1Craftercms 1Craftercms Dec 15, 2025 Jan 15, 2025 6.9 MEDIUM· v4 9.1 CRITICAL· v3 N/A· v2 Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects Cra...Show more Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.Show less
CVE-2023-4136 1Craftercms 1Craftercms Feb 13, 2025 Aug 3, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from...Show more Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.Show less
CVE-2023-33194 2Craftcms Craftercms 2Craft Cms Craftercms Nov 21, 2024 May 26, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in la...Show more Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.Show less
CVE-2023-26020 1Craftercms 1Crafter Cms Nov 21, 2024 Feb 17, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26. Show less
CVE-2022-40635 1Craftercms 1Crafter Cms Nov 21, 2024 Sep 13, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
CVE-2022-40634 1Craftercms 1Crafter Cms Nov 21, 2024 Sep 13, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
CVE-2021-23267 1Craftercms 1Crafter Cms Nov 21, 2024 May 16, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
CVE-2021-23266 1Craftercms 1Crafter Cms Nov 21, 2024 May 16, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
CVE-2021-23265 1Craftercms 1Crafter Cms Nov 21, 2024 May 16, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A logged-in and authenticated user with a Reviewer Role may lock a content item.
CVE-2021-23264 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
CVE-2021-23263 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/, /templates/ and some of the files in /.git/* (non-binary).
CVE-2021-23262 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.
CVE-2021-23261 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Authenticated administrators may override the system configuration file and cause a denial of service.
CVE-2021-23260 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.
CVE-2021-23259 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attack...Show more Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).Show less
CVE-2021-23258 1Craftercms 1Crafter Cms Nov 21, 2024 Dec 2, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary c...Show more Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).Show less
CVE-2017-15686 1Craftercms 1Crafter Cms Nov 21, 2024 Nov 27, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
CVE-2017-15685 1Craftercms 1Crafter Cms Nov 21, 2024 Nov 27, 2020 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684 1Craftercms 1Crafter Cms Nov 21, 2024 Nov 27, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.

12 Next